Filezilla3 final released

Need help with FileZilla Client? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Message
Author
spucek
226 Transfer OK
Posts: 128
Joined: 2007-08-28 16:36

Filezilla3 final released

#1 Post by spucek » 2007-09-08 20:13

Good job. I am hoping that eventually will be added some missing features which were in fz2 and some new as well ( http://filezilla.sourceforge.net/forum/ ... php?t=4132 ).
I like new FZ icon too! :p
I also noticed that FZ2 uses 6Mb of RAM and FZ3 10MB, but i think that in times when 1GB of RAM is a standard, that isn't a problem.

I can't find explanation of function "filename filters", not in forum, not even on wiki page. Can someone describe me what it can do for me? Is it maybe that files which satisfy condition are skipped?
edit: ok, i tried that feature and it actually doesn't show,upload,download files/folder which satisfy to filter's condition(s) which are active. It might come handy ;) .

sr1515
504 Command not implemented
Posts: 8
Joined: 2007-09-08 22:02

Unencrypted passwords in sitemanager.xml

#2 Post by sr1515 » 2007-09-08 22:10

Any reason why passwords are saved unencrypted in the sitemanager.xml file? FileZilla 2.2.32 used to save this information in the registry and the password strings were not legible with that version. I strongly suggest reverting to encrypting such information.

Apart from that, this new version works very well.

User avatar
botg
Site Admin
Posts: 33171
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Unencrypted passwords in sitemanager.xml

#3 Post by botg » 2007-09-08 22:24

sr1515 wrote:Any reason why passwords are saved unencrypted in the sitemanager.xml file?
It's the task of the operating system to protect the user's files.

spucek
226 Transfer OK
Posts: 128
Joined: 2007-08-28 16:36

#4 Post by spucek » 2007-09-08 22:25

:shock: It's true, passwords aren't encrypted!!!! In fz2 they are. I guess this is another feature which is at the moment not present in fz3 :\ .

botg: what about users who changed location for settings to FZ dir (for usage on usb sticks) ? And most users aren't using multiple (correctly configured) win accounts to protect files.

User avatar
botg
Site Admin
Posts: 33171
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

#5 Post by botg » 2007-09-08 22:38

spucek wrote:what about users who changed location for settings to FZ dir (for usage on usb sticks) ? And most users aren't using multiple (correctly configured) win accounts to protect files.
Encryption or not, it makes no difference. If you cannot trust the system then don't even bother using it.

sr1515
504 Command not implemented
Posts: 8
Joined: 2007-09-08 22:02

Re: Unencrypted passwords in sitemanager.xml

#6 Post by sr1515 » 2007-09-09 14:57

botg wrote:
sr1515 wrote:Any reason why passwords are saved unencrypted in the sitemanager.xml file?
It's the task of the operating system to protect the user's files.
And, how exactly is the O/S going to take care of protecting the content of a file owned by an application? For one, why do you think Mozilla encrypts passwords in their applications? In this specific situation, the O/S has nothing to do with FileZilla's settings except ensuring that the file in which they are saved is appropriately written to disk. That is unless you would somehow have the O/S encrypt FileZilla's settings before they are written to disk but that is certainly not the case here. I'm sorry but your answer just doesn't cut it.

anjanesh
500 Syntax error
Posts: 16
Joined: 2005-12-14 12:40
Location: Mumbai, India

Re: Unencrypted passwords in sitemanager.xml

#7 Post by anjanesh » 2007-09-09 15:44

sr1515 wrote:Any reason why passwords are saved unencrypted in the sitemanager.xml file? FileZilla 2.2.32 used to save this information in the registry and the password strings were not legible with that version. I strongly suggest reverting to encrypting such information.
Previously a lot of ppl asked for password retrieval when they couldnt recollect the password (and the only copy was in the filezilla.xml file) and the only solutions they could find on the net was to use check the c++ code for encryption details and decrypt !

It would be nice if there was an option to encrypt or not to.
<Removed advertisement>

User avatar
botg
Site Admin
Posts: 33171
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Unencrypted passwords in sitemanager.xml

#8 Post by botg » 2007-09-09 15:46

sr1515 wrote:I'm sorry but your answer just doesn't cut it.
Go back into your cave. If you actually had the technical understanding on how computers work, you would now that password obfuscation is pointless.

anjanesh
500 Syntax error
Posts: 16
Joined: 2005-12-14 12:40
Location: Mumbai, India

#9 Post by anjanesh » 2007-09-09 17:59

botg - I think sr1515 meant to ask how the OS can encrypt the password field in the sitemanager.xml file - thats not the OS's job - its the application's.

Code: Select all

<Pass>my-password</Pass>
<Removed advertisement>

sr1515
504 Command not implemented
Posts: 8
Joined: 2007-09-08 22:02

Re: Unencrypted passwords in sitemanager.xml

#10 Post by sr1515 » 2007-09-09 18:28

botg wrote:
sr1515 wrote:I'm sorry but your answer just doesn't cut it.
Go back into your cave. If you actually had the technical understanding on how computers work, you would now that password obfuscation is pointless.
What kind of an arrogantly stupid answer is that? What is your understanding of how computers work for one? Come on, spell it out and come up with something else than utterly immature insults to answer a legitimate request. If you're so good do explain why passwords are not obfuscated in FileZilla. Make your case very well because I can guarantee you that you will eventually have to concede that storing password in clear in totaly wrong.

Here, since FileZilla stores passwords in an XML file, see what Oracle considers appropriate password management within XML files:

Password Management

http://download.oracle.com/docs/cd/B140 ... m#i1005556

Are you going to say that the Oracle people are stupid now?

Here's another:

Password Management Best Practices

http://p-synch.com/docs/password-manage ... tices.html

And another:

Secure Password Storage

http://www.securitydocs.com/library/1245

Finally, see how you would highly benefit from reading this book:

Secure Coding Principles and Practices

http://www.securecoding.org/

Come back with your reply when you're able to express your point of view like an adult instead of behaving like a total jerk and perhaps then will people respect your position on application development and computer security.

Good luck...

User avatar
botg
Site Admin
Posts: 33171
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

#11 Post by botg » 2007-09-09 18:57

Debunking the myths, or why password obfuscation is useless.

Assume FileZilla had encrypted passwords. So what does FileZilla do if you enter a password? It encrypts it and stores it on the disk.
Next time you open FileZilla, it loads the encrypted password and decodes it. The question is, how does it know the encryption key? Two possible options:

1) FileZilla specifically asks the user for the encryption key on loading and saving passwords. The problems with this:
1a) Nothing is gained, user has to remember a different key instead of his server password
1b) Every application would have to implement this, which is not a good idea. So instead, it's a better idea to let the operating system protect the user's files

2) Encryption key is stored on the disk as well as the password. Does this bring any additional security? No, any attacker who has access to the running system can then decrypt the password as well.

The solution is so simple: The operating system has to provide a secure storage for the user's files and settings by means of an encrypted home directory which is only accessible while the user is logged in.
At least since Windows 2000 (maybe NT4) this has been implemented, Windows does support file encryption natively.
Encrypted file systems are also available for all other operating systems.

The point is this: If you cannot rely on your system to keep your files protected from attackers, don't bother saving password in the first place.

JustPassingThru
500 Command not understood
Posts: 1
Joined: 2007-09-09 18:54

Re: Unencrypted passwords in sitemanager.xml

#12 Post by JustPassingThru » 2007-09-09 18:57

botg wrote:Go back into your cave. If you actually had the technical understanding on how computers work, you would now that password obfuscation is pointless.
Your ignorance is blaringly obvious.

User avatar
botg
Site Admin
Posts: 33171
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Unencrypted passwords in sitemanager.xml

#13 Post by botg » 2007-09-09 19:05

JustPassingThru wrote:
botg wrote:Go back into your cave. If you actually had the technical understanding on how computers work, you would now that password obfuscation is pointless.
Your ignorance is blaringly obvious.
Tell me, what do you think about "Security through obscurity"? From what I'm reading in this thread, lots of people seem to embrace this flawed concept.

ddcc
500 Command not understood
Posts: 2
Joined: 2007-09-09 19:11

#14 Post by ddcc » 2007-09-09 19:14

When users can remember just one complex key rather than multiple complex passwords and an operating system grows increasingly bloated and turns into crap, individual programmers themselves need to take responsibility as after all, they are writing for the users themselves.

User avatar
botg
Site Admin
Posts: 33171
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

#15 Post by botg » 2007-09-09 19:28

ddcc wrote:When users can remember just one complex key rather than multiple complex passwords and an operating system grows increasingly bloated and turns into crap, individual programmers themselves need to take responsibility as after all, they are writing for the users themselves.
Instead of working around the symptoms of a bad system, isn't it better to switch to a better operating system instead? There's really no need for every application developer to reinvent the wheel.

Post Reply